[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#3962) using slapd.d makes tls certificates not work??
Full_Name: Perry Nguyen
Version: 2.3.6
OS: Linux FC4
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (66.245.252.239)
The following is a reproduction of the problem. Below that, my slapd.conf is
included.
[root@ares openldap]# rm -rf slapd.d
[root@ares openldap]# service ldap start
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
[root@ares openldap]# ldapwhoami -H ldaps:///
SASL/GSSAPI authentication started
SASL username: root@GOFTI.COM
SASL SSF: 56
SASL installing layers
dn:uid=root,ou=people,dc=hanhuy,dc=com
[root@ares openldap]# service ldap stop
Stopping slapd: [ OK ]
[root@ares openldap]# mkdir slapd.d
[root@ares openldap]# slaptest -f slapd.conf -F slapd.d
config file testing succeeded
[root@ares openldap]# chown -R ldap.ldap slapd.d
[root@ares openldap]# service ldap start
Checking configuration files for slapd: /etc/openldap/slapd.d: line 1: warning:
cannot assess the validity of the ACL scope within backend naming context
/etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the ACL
scope within backend naming context
/etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the ACL
scope within backend naming context
/etc/openldap/slapd.d: line 1: warning: ACL appears to be out of scope within
backend naming context
/etc/openldap/slapd.d: line 1: warning: ACL appears to be out of scope within
backend naming context
/etc/openldap/slapd.d: line 1: warning: ACL appears to be out of scope within
backend naming context
/etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the ACL
scope within backend naming context
config file testing succeeded
[ OK ]
Starting slapd: /etc/openldap/slapd.d: line 1: warning: cannot assess the
validity of the ACL scope within backend naming context
/etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the ACL
scope within backend naming context
/etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the ACL
scope within backend naming context
/etc/openldap/slapd.d: line 1: warning: ACL appears to be out of scope within
backend naming context
/etc/openldap/slapd.d: line 1: warning: ACL appears to be out of scope within
backend naming context
/etc/openldap/slapd.d: line 1: warning: ACL appears to be out of scope within
backend naming context
/etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the ACL
scope within backend naming context
[ OK ]
[root@ares openldap]# ldapwhoami -H ldaps:///
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
handshake failure
[root@ares openldap]# rm -rf slapd.d
[root@ares openldap]# service ldap restart
Stopping slapd: [ OK ]
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
[root@ares openldap]# ldapwhoami -H ldaps:///
SASL/GSSAPI authentication started
SASL username: root@GOFTI.COM
SASL SSF: 56
SASL installing layers
dn:uid=root,ou=people,dc=hanhuy,dc=com
###
### slapd.conf
###
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
# Samba ldapsam schema
include /etc/openldap/schema/samba.schema
# Heimdal krb5 schema
include /etc/openldap/schema/krb5-kdc.schema
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
#TLSCACertificateFile /etc/openldap/certs/hanhuy.cert
#TLSCertificateFile /etc/openldap/certs/hanhuy.cert
#TLSCertificateKeyFile /etc/openldap/keys/hanhuy.key
TLSCACertificateFile /etc/pki/CA/cacert.pem
TLSCertificateFile /etc/pki/openldap/ldap.cert
TLSCertificateKeyFile /etc/pki/openldap/ldap.key
# update_ssf=70 instead of 112 because we use the ldapi interface with ssf=71
security ssf=1 update_ssf=70 simple_bind=64
# Do not allow users to change their objectClass, or POSIX uid/gid values
# Samba only needs access to the gidNumber, we should split it out
access to attrs=objectClass,uidNumber,gidNumber,saslAuthzTo
by group.base="cn=Directory Admins,ou=Groups,dc=HanHuy,dc=com" write
by dn.base="uid=Samba,ou=Services,dc=HanHuy,dc=com" write
by dn.base="uid=SmbLdapTools,ou=Services,dc=HanHuy,dc=com" write
by * read
# Only samba can change samba attributes
access to attrs=sambaPwdCanChange,sambaPwdMustChange,sambaPwdLastSet,sambaAcctFlags,sambaSID,sambaPrimaryGroupSID,sambaPasswordHistory
by group.base="cn=Directory Admins,ou=Groups,dc=HanHuy,dc=com" write
by dn.base="uid=Samba,ou=Services,dc=HanHuy,dc=com" write
by dn.base="uid=SmbLdapTools,ou=Services,dc=HanHuy,dc=com" write
by * read
# Do not allow anyone to read any of the encrypted passwords
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by group.base="cn=Directory Admins,ou=Groups,dc=HanHuy,dc=com" write
by dn.base="uid=Samba,ou=Services,dc=HanHuy,dc=com" write
by dn.base="uid=SmbLdapTools,ou=Services,dc=HanHuy,dc=com" write
by dn.base="uid=Local Admin,ou=Services,dc=HanHuy,dc=com" read
by * auth
# Access control the administrative group
access to dn.sub="cn=config"
by dn.base="uid=root,ou=People,dc=HanHuy,dc=com" write
by group.base="cn=Directory Admins,ou=Groups,dc=HanHuy,dc=com" write
by * read
access to dn.base="cn=Directory Admins,ou=Groups,dc=HanHuy,dc=com"
by dn.base="uid=root,ou=People,dc=HanHuy,dc=com" write
by group.base="cn=Directory Admins,ou=Groups,dc=HanHuy,dc=com" write
by * read
access to dn.base="cn=Domain Admins,ou=Groups,dc=HanHuy,dc=com"
by group.base="cn=Directory Admins,ou=Groups,dc=HanHuy,dc=com" write
by * read
# Only the Local Admin should be able to access the kerberos tree
access to dn.sub="ou=Kerberos,dc=HanHuy,dc=com"
by group.base="cn=Directory Admins,ou=Groups,dc=HanHuy,dc=com" write
by dn.base="uid=Local Admin,ou=Services,dc=HanHuy,dc=com" write
by * none
# read access for all, write by the user himself and write to all by admins
access to *
by group.base="cn=Directory Admins,ou=Groups,dc=HanHuy,dc=com" write
by dn.base="uid=Samba,ou=Services,dc=HanHuy,dc=com" write
by dn.base="uid=SmbLdapTools,ou=Services,dc=HanHuy,dc=com" write
by self write
by * read
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=HanHuy,dc=com"
# Generate a password with slappasswd
#rootdn "uid=root,ou=People,dc=HanHuy,dc=com"
#rootpw {SSHA}GENERATEDPASSWORD
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
### Recommanded indices by samba
index displayName pres,sub,eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
### Index for krb5
index krb5PrincipalName eq
# typically, this rule should only be used by Heimdal kerberos
authz-regexp
uidNumber=0\\\+gidNumber=.*,cn=peercred,cn=external,cn=auth
"uid=Local Admin,ou=Services,dc=HanHuy,dc=com"
authz-regexp
gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
"uid=Local Admin,ou=Services,dc=HanHuy,dc=com"
# map all other local users to their respective ldap entries
authz-regexp
uidNumber=(.*)\\\+gidNumber=.*,cn=peercred,cn=external,cn=auth
ldap:///ou=People,dc=HanHuy,dc=com??one?(&(uidNumber=$1)(objectClass=posixAccount))
authz-regexp
uid=([^,]+),cn=gofti.com,cn=GSSAPI,cn=auth
uid=$1,ou=People,dc=HanHuy,dc=com
authz-regexp
uid=([^,]+),cn=GSSAPI,cn=auth
uid=$1,ou=People,dc=HanHuy,dc=com